• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.7 no.8
• /
• pp.1732-1742
• /
• 2003

WPP protocol based a Credit card payment in mobile Internet uses WTLS which is security protocol of WAP. WTLS can't provide End­to­End security in network. In this paper, we propose a protocol both independent in mobile Internet platform and allow a security between user and VASP using Mobile Gateway in AIP. In particular, our proposed protocol is suitable in mobile Internet, since session key for authentication and initial payment process is generated using Weil Diffie­Hellman key exchange method that use additive group algorithm on elliptic curve.

• Proceedings of the CALSEC Conference
• /
• 2004.02a
• /
• pp.75-82
• /
• 2004

Recently introduced by the major credit card associations as replacements for the decommissioned SET and 3DSET protocols, the new payment models, 3DSecure and UCAF/SPA, have been designed to provide online merchants with a solution to an existing problem in online credit card transactions - the lack of an effective and efficient means of authenticating cardholders. The expected benefits arising from this added level of security from the merchant′s perspective are increased consumer confidence, significant reduction in the levels of fraud and charge backs and "liability shift". Using data gleaned from preliminary interviews, discussion forums and promotional material, we present a critical analysis of the potential barriers and facilitators that will impact on the widespread traction of these programs in the marketplace in the coming years.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.5-15
• /
• 2015

Electronic transactions have been increasing with the development of the high-speed Internet and wireless communication. However, in recent years financial corporations and mobile carriers were attacked by hackers. And large numbers of privacy information have been leaked. In particular, in the case of credit card information can be misused in the online transaction, and the damage of this given to cardholder. To prevent these problems, it has been proposed to use a virtual card number instead of the actual card number. But it has security vulnerability and requires additional security infrastructure. In this paper, we analyzed the proposed virtual card number schemes. and we propose a new virtual credit card number scheme. In the newly proposed scheme, cardholder generates a key pair (public key/private key) and pre-register public key to the issuer. then, cardholder can pay no additional security infrastructure while still efficiently satisfy the security requirements.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.379-388
• /
• 2020

As the use of credit cards increases, security threats increase. In particular, despite being vulnerable to related crimes, such as fraudulent use of credit cards and theft of names, there are virtually no security procedures to authenticate the validity of user while paying with the credit card. In order to overcome these limitations of current credit card payments, we add a process of signing payment using a stylus pen with built-in acceleration sensor in the existing transaction method, and classifying and comparing the image of the signature and signature information measured by the sensor through the convolutional neural network. we propose a method to improve security in financial transactions by performing the user authentication process through the possession of the stylus pen and the characteristic values of the signature.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2007.06a
• /
• pp.76-79
• /
• 2007

RFID is issued as a core technology for Ubiquitous environment recently. Especially, Mobile RFID which is converged with RFID and wireless internet, provides new services to users, increased added-value to service providers. For commercial service of Mobile RFID, it needs an accounting service. The Diameter Base Protocol, mostly used for authentication, authorization, and accounting service, supports only deferred accounting service. For more variable accounting policy, Diameter Credit-Control Application which is capable of prepayment accounting, also should be considered. In this paper, a new accounting model with Diameter Credit-Control Application for Mobile RFID service is proposed.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.1
• /
• pp.1-5
• /
• 2016

The all-in-one service, for example, mobile wallet enables users to have credit card, membership card, and coupon in one place. It has been one of important o2o services with offline payment. In order to take advantage of mobile commerce, it is necessary to authenticate clients automatically without entering their passwords. This paper proposes an automatic client authentication method in all-in-one service. At registration, clients receives and stores an authentication ticket from a company, which contains an user's identifier and password encrypted by company's symmetric key. Client can be authenticated by transferring authentication tickets to companies at service requests.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.26 no.3
• /
• pp.563-572
• /
• 2016

Recently, a plenty of credit card payment protocols have been proposed in Korea. Several features of proposed protocols include: using passwords for user authentication in stead of official certificate for authenticity, and no need to download additional security module via ActiveX into user's devices. In this paper, we suggest two new credit card payment protocols that use both SSL(Security Socket Layer) as a standardized secure transaction protocol and password authentication to perform online shopping and payment. The first one is for the case where online shopping mall is different from PG(Payment Gateway) and can be compared to PayPal-based payment methods, and the second one is for the case where online shopping mall is the same as PG and thus can be compared to Amazon-like methods. Two proposed protocols do not require users to perform any pre-registration process which is separate from an underlying shopping process, instead users can perform both shopping and payment into a single process in a convenient way. Also, users are asked to input a distinct payment password, which increases the level of security in the payment protocols. We believe that two proposed protocols can help readers to better understand the recent payment protocols that are suggested by various vendors, and to analyze the security of their payment protocols.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.3
• /
• pp.9-21
• /
• 2010

Recently, famous online shopping websites were hit by hacking attack, and many users' personal information such as ID, password, account number, personal number, credit card number etc. were compromised. Hackers are continuing to attack online shopping websites, and the number of victims of these hacking is increasing. Especially, the exposure of credit card numbers is dangerous, because hackers maliciously use disclosed card numbers to gain money. In 2007 Financial Cryptography Conference, Ian Molly et al. firstly proposed dynamic card number generator, but it doesn't meet reuse resistant. In this paper, we analyzed security weaknesses of Ian Molly's scheme, and we proposed a new one-time virtual card number generator using a mobile device which meets security requirements of one-time virtual card numbers. Then, we propose one-time credit card number generation and transaction protocol using Integrated Authentication Center for user convenience and security enhancement.

• Journal of Digital Convergence
• /
• v.13 no.7
• /
• pp.197-205
• /
• 2015

Existing Web authentication method utilizes the resident registration number by credit rating agencies separating i-PIN authentication method which has been improved authentication using resident registration number via the real name confirmation database. By improving the existing authentication method, and it provides the available integrated ID authentication on Web. In order to enhance safety, the proposed authentication method by encrypting the user of the verification value, and stores the unique identifier in the database of the certificate authority. Then, the password required to log in to the Web is for receiving a disposable random from the certificate authority, the user does not need to remember a separate password and receives the random number by using the smart phone. It does not save the user's personal information in the database, and it is easy to management of personal information. Only the integration ID needs to be remembered with random number on every time. It doesn't need to use various IDs and passwords if you use this proposed authentication methods.

• International Journal of Internet, Broadcasting and Communication
• /
• v.8 no.1
• /
• pp.7-18
• /
• 2016

Several authentication methods have been developed to make use of tokens in the mobile networks and smart payment systems. Token used in smart payment system is genearated in place of Primary Account Number. The use of token in each payment transaction is advantageous because the token authentication prevents enemy from intercepting credit card number over the network. Existing token authentication methods work together with the cryptogram, which is computed using the shared key that is provisioned by the token service provider. Long lifetime and repeated use of shared key cause potential brawback related to its vulnerability against the brute-force attack. This paper proposes a per-transaction shared key mechanism, where the per-transaction key is agreed between the mobile device and token service provider for each smart payment transaction. From server viewpoint, per-transaction key list is easy to handle because the per-transaction key has short lifetime below a couple of seconds and the server does not need to maintain the state for the mobile device. We analyze the optimum size of the per-transaction shared key which satisfy the requirements for transaction latency and security strength for secure payment transactions.